By default, the Tripwire RPM adds a shell script called tripwire-check to the /etc/cron.daily/ directory. This script automatically runs an integrity check once per day.
You can, however, run a Tripwire integrity check at any time by typing the following command:
/usr/sbin/tripwire --check |
During an integrity check, Tripwire compares the current state of file system objects with the properties recorded in its database. Violations are printed to the screen and an encrypted copy of the report is created in /var/lib/tripwire/report/. You can view the report using the twprint command as outlined in Section 19.6.1 Viewing Tripwire Reports.
If you would like to receive an email when certain types of integrity violations occur, you can configure this in the policy file. See Section 19.8.1 Tripwire and Email for instructions on how to set up and test this feature.